Equifax data breach: Feds start investigation

The Federal Trade Commission has opened a probe into Equifax’s historic data hack, where hackers stole the sensitive personal information of about 143 million people. Jose Sepulveda (@josesepulvedatv) has more.
Buzz60

Equifax's web site has a dedicated link related to its "cybersecurity incident."(Photo: USA TODAY, USA TODAY)

The Federal Trade Commission, a consumer watchdog agency, confirmed Thursday it's investigating the credit reporting agency for hacker attacks on its data systems that compromised personal data on nearly half of all U.S. consumers.

"The FTC typically does not comment on ongoing investigations. However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach," said Peter Kaplan, the FTC’s acting director of public affairs, in a statement.

The Consumer Financial Protection Bureau, the independent consumer watchdog agency created by the Dodd–Frank Wall Street Reform and Consumer Protection Act in 2010, also said it's also investigating Equifax.

An estimated 143 million U.S. consumers could be affected by the breach, Equifax said. The hackers also gained access to credit card numbers for roughly 209,000 consumers, as well as certain dispute documents with personal identifying information for about 182,000 consumers.

Equifax Security first discovered the intrusion on July 29 and revealed it last week, triggering massive criticism that it dragged its feet on alerting consumers.

Equifax, based in Atlanta, apologized for the breach and set up free credit monitoring and identity protections services.

Meanwhile, Equifax CEO Richard Smith is expected to testify early next month at the first congressional hearing focused on the cyberbreach.

Smith accepted request to discuss the damaging incident during an Oct. 3 hearing of the House Subcommittee on Digital Commerce and Consumer Protection, said Rep. Bob Latta, R-Ohio, the panel’s chairman.

“We look forward to hearing directly from Mr. Smith on this unprecedented breach that has raised serious questions about the security of consumers’ personal information,” said Latta and Rep. Greg Walden, R-Oregon, who chairs the House Energy and Commerce Committee, of which the subcommittee is a part.

The panels received a preliminary briefing from Equifax last week, Walden and Latta said. The House Energy and Commerce Committee has jurisdiction over the Federal Trade Commission and Consumer Financial Protection Bureau, the agencies responsible for regulating data security.

Equifax told USA TODAY Tuesday that the breach was due to vulnerability in free, open-source software, called Apache Struts, that it used to create Java web applications.

Cybersecurity professionals discovered the vulnerability and alerted Equifax about a fix two months before the company was hit by hackers.

"The Equifax data compromise was due to (Equifax') failure to install the security updates provided in a timely manner," The Apache Foundation, which oversees the open source software, said Thursday.

"Understandably, many people are questioning why it took six weeks to report the incident to the public," Equifax's Smith wrote in an editorial for USA TODAY. "Shortly after discovering the intrusion, we engaged a leading cybersecurity firm to conduct an investigation. At the time, we thought the intrusion was limited."

"This is the most humbling moment in our 118-year history," Smith wrote.